Assessing Information Technology General Control Risk: An Instructional Case Carolyn Strand Norman, Mark D. Payne, and Valaria P. Vendrzyk ABSTRACT: Information Technology General Controls (ITGCs), a fundamental category of internal controls, provide an overall foundation for reliance on any information produced by a system. Since the relation between ITGCs and the information produced by an organization’s various application programs is indirect, understanding how ITGCs interact and affect an auditor’s risk assessment is often challenging for students. This case helps students assess overall ITGC risk within an organization’s information systems. Students identify speciﬁc strengths and weaknesses within ﬁve ITGC areas, provide a risk assessment for each area, and then evaluate an organization’s overall level of ITGC risk within the context of an integrated audit. Keywords: internal controls; general control; ITGC; risk assessment.

T

INTRODUCTION he Sarbanes-Oxley Act (SOX 2002) and the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 (PCAOB 2007) require that the organization’s chief executive ofﬁcer (CEO) and chief ﬁnancial ofﬁcer (CFO) include an assessment of the operating effectiveness of their internal control structure over ﬁnancial reporting when issuing the annual report. External auditors must review management’s internal control assessment as part of an annual integrated audit of an organization’s internal controls over ﬁnancial reporting. In short, accountants—external auditors, internal auditors, and management accountants at all levels—are actively involved in helping their respective organizations comply with SOX-related internal control requirements. Because of the pervasiveness of IT in organizations, the information systems themselves contain many internal controls. As a result, both internal and external auditors must develop an understanding of the IT environment and its related processes and controls, including the IT general controls (ITGCs), by performing risk assessment procedures. Although deﬁciencies in ITGCs do not directly result in misstated ﬁnancial statements or material

control weaknesses, they can indirectly cause or contribute to application control deﬁciencies (Center for Public Company Audit Firms 2004). Since the relation between ITGCs and the information produced by an organization’s various application programs is indirect, understanding how ITGCs interact and affect an auditor’s risk assessment is often challenging for students. Accordingly, our case offers accounting faculty an assignment or project that is a ‘‘real world,’’ comprehensive supplement to textbook materials on the topic of risk and ITGCs. THE CASE Several months ago, you started working at a large public accounting ﬁrm as an IT staff auditor. You are currently working on your ﬁrst assignment, an ITGC review of the Foods Fantastic Company (FFC). FFC is a publicly traded, regional grocery store chain, headquartered in Mason, Maryland, and includes 50 stores located in the mid-Atlantic area. The centralized data center is in Mason. FFC relies on an integrated suite of application...

YOU MAY ALSO FIND THESE DOCUMENTS HELPFUL

...CASESTUDY and ANALYSIS
* CASE 1
With regards to the comment of the junior consultant, I could say that although it is better for a consultant t to maintain the confidentiality as a result of professional relationship, it should be noted also that consultants do have ethical requirements being followed in the conduct if work. Moreover, a consultant cannot be deterred from performing its professional duty to disclose this information to the external auditors who have the greater responsibility to take charge of this matter. In short, those questionable management practices are not to be held confidential but are to be given notice on the responsible authority.
* CASE 2
The president having a high authority within the organization and whom the problem is directly attributed into, would be quite improper for a consultant to bypass his authority of knowing such information. Although it might create a threat on my part, I should directly notify him of such matter knowing that I am after the overall welfare of the organization rather than its individuals.
* CASE 3
As a consultant, I have no direct authority to divulge the anomalies or frauds within the organization. Although this case presents a dilemma involving intimidation threat coming from higher authority, there is a need for me to discuss the real matter to the external auditors who have greater authority regarding this...

...﻿
CaseStudies in Middle Adulthood
By Gail Hall
BSHS/325
Professor Deborah White
September 16, 2014
As a part of the human service professional reviewing casestudies will be an important part of the job. Not only should we keep notes on every client but we could use them as a reference for future clients. The casestudies could become useful if past and future clients have similar cases. In this casestudy we will examine family, social, and intimate relationships. Identify any role changes that may have occurred, and immediate and future effects of healthy and unhealthy habits demonstrated in this casestudy.
My casestudy is on Jackson the 25-year-old, unemployed, single adult male, with a substance and alcohol abuse problem. After graduating high school Jackson started attending college the following fall to earn a degree in chemistry. In the course of his freshman year Jackson suffered a major head injury in a car accident. As a result he sustained loss of his cognitive and analytical functioning skills, due to damage to his Cerebrum. Jackson begin drinking alcohol and abusing the painkillers giving to him by Doctors following the accident. As a result Jackson is now using prescription painkillers and mixing with alcohol to relieve...

...business groups-wireless, fixed line, and information and communications technology-PLDT offers the largest and most diversified range of telecommunications services across The Philippines’ most extensive fibber optic backbone and wireless, fixed line and satellite networks. PLDT is listed on the Philippines Stock Exchange (PSE: TEL) and its American Depositary Shares are listed on the New York Stock Exchange (NYSE:PHI) and the Pacific Exchange. PLDT has one of the largest market capitalizations among the Philippine listed companies. The fixed line business provides local calls, national and international long distance services, which operates around 2.1 million access lines. The wireless...Food Procurement
INTRODUCTION Background of the Study Mang Inasal Chicken BBQ is the Philippine's fastest growing barbeque fast food chain, serving chicken, pork barbeque and other Filipino favorites, was first established on December 12, 2003 in Iloilo City. Currently, there were 445 branches nationwide and...
Premium3653 Words12 Pages
Mang Inasal
How can Mang Inasal sustain its success? Your column on Mang Inasal?s success secret is still the continuing topic of our group?s conversations. We?re a foursome of Asian Institute of Management (AIM) Master in Entrepreneurship (ME) graduates and you taught our batch. There?s one question raised...
Premium1094 Words3 Pages
Mang Inasal
Apart from the usual food presentations of multinational food company copycats, Mang...

...﻿CASESTUDY
A DAY IN THE LIFE
QUESTION:
1. How effectively do you think Rachel spent her day?
2. What does the case tell you ask what it is like to be a project manager?
Project is a complex, non-routine, one time effort that is limited by time, budget, resources and performance specifications and it’s implemented to meet the customer requirements:
This case shows a daily working life of Rachel, the project manager of large information systems project; the case mainly discussed the way a project manager allocates her time to spent one day in her life. A day in the life also shows a glimpse of what it is like to be a project manager. It also underscores that being a project manager is more social than technical and that project manager spend the majority of their time interacting with various people who impact on a project.
The effectiveness of Rachel spent her day project is complex, non-routine, one time effort limited by time,budget,resources and performance specifications designed to meet customer needs. Considering the casestudy, Rachel allocates her time significantly on activities not done respectively before that in my point of view can be applied as project activities.
Activities such as going over project reports and preparing for the weekly status meeting, going over problems with her boss, participating in a conference call and responding to the issues...

...CaseStudy Analysis
Diana Hamilton
Comm/215
April 16, 2012
Lyn Wolf
Title of Paper
Carl Robins, began working for ABC, Incorporated, about six months ago as a campus recruiter. This is considered a tough job, which involves many responsible. Carl had only been with the company for six months, but expressed he was ready to begin recruiting people. In early April, Carl recruited his first fifteen people. Those people would be working for Monica Carroll who was the Operations Supervisor. Monica informed Carl that she would need them to be done with orientation and working by July, first. Carl planed for all fifteen people to begin orientation on June fifteenth, this would give Carl fifteen days to finish up everything that was not complete. This casestudy will discuss what Carl Robins was responsible for, it will examine the key problems, and analysis what caused these problems, and provide different possible solutions to the problems.
The Facts
The facts in this casestudy, some of which have already been discussed previously are as followed: Carl had only been working for ABC, Incorporated, for six months before making the decision that he was ready to take on all the responsibilities of a recruiter. Carl recruited his first fifteen new hire employees in early April, and informed all fifteen people that orientation was scheduled for June fifteenth. Carl...

...CASESTUDY SOLUTION
The Carter Cleaning Company
Ahmed Ali
ID: 11901
Chapter 4:
Job Analysis Continuing Case:
The carter cleaning company: The job description
1. What should be the format and final form of the store manager’s job description?
Answer: The format noted in figure 4-6 could be a reasonable format to use. Students may recommend
that Jen should include a “standards of performance” section in the job description. This lists the
standards the employee is expected to achieve under each of the job description’s main duties and
responsibilities, and would address the problem of employees not understanding company policies,
procedures, and expectations. In addition, students may recommend that Jennifer instead take a
competency-based approach which describes the job in terms of the measurable, observable, behavioral
competencies that an employee doing that job must exhibit. Because competency analysis focuses more
on “how” the worker meets the job’s objectives or actually accomplishes the work, it is more worker
focused.
2. Was it practical to specify standards and procedures in the body of the job description, or
should these be kept separately?
Answer: They do not need to be kept separately, and in fact both Jen and the employees would be
better served by incorporating standards and procedures into the body of the description. The exception
to this would be if the standards and procedures are so complex or involved that it...

...CaseStudyCasestudy methods
involve


Systematically gathering enough information
about a particular person, social setting, event,
or group to permit the researcher to effectively
understand how it operates or functions.
Casestudies may focus on an individual, a
group, or an entire community and may utilize
a number of data technologies such as life
stories, documents, oral histories, in-depth
interviews, and participant observation.
Types of casestudies
Stake (1995) suggests that researchers
have different purposes for studying
cases. He suggests that casestudies
can be classified into three different
types: intrinsic, instrumental, and
collective
Intrinsic casestudies


Intrinsic casestudies are undertaken when
researcher wants to better understand a
particular case.
It is not undertaken primarily because it
represents other cases or because it
illustrates some particular trait,
characteristic, or problem. Rather, it is
because of its uniqueness or ordinariness
that a case becomes interesting.
Instrumental casestudies
Instrumental casestudies provide
insights into an issue or refine a
theoretical explanation.
 The intention is to assist the...